On 10 June 2015 at 19:47, Long, Qin <qin.l...@intel.com> wrote: > Lee, I totally agree with you. And ever made some tries years ago, but no > result. :-( > >From OpenSSL community, there also were lots of requests about the supports > >to have smaller fingerprint for those embedded system (e.g. adding more > >MACRO to disable something). Also no positive feedback. That's why many > >derived projects were created, such as MatrixSSL, CyaSSL, etc. Looks OpenSSL > >Dev Team is still short of resource to do this. > > Moreover, in current EDKII-OpenSSL patch, I believe some issues we patched > are really openssl issue: e.g. > Missed DECLARE_PEM_write_fp_const definition if OPENSSL_NO_FP_API was > used in pem.h > Wrong memory allocation for paramid in x509_vpm.c > ......
Those are fixed in the OpenSSL master branch now. The change that moves a buffer allocation from the stack to the heap is not upstream, but may be a candidate if we propose it as a standalone patch. > At least, there should be valuable to upstream these changes, and we will > have smaller patch in future. :-) > Agreed. -- Ard. > -----Original Message----- > From: Blibbet [mailto:blib...@gmail.com] > Sent: Saturday, June 6, 2015 3:56 AM > To: edk2-devel@lists.sourceforge.net > Subject: Re: [edk2] [patch 3/3] [CryptoPkg] Updates some support header files > and wrapper files to support openssl-1.0.2a build, and correct some openssl > API usages when handling ASN.1 en/decoding. > > Has there been any thought to upstream the libOpenSSL changes? > > It would be nice to be able to grab a current OpenSSL tarball and have it > include UEFI support, and not have to patch it each time. Having the patches > in truck also makes the main OpenSSL developers aware of how their changes > impact UEFI-centric codepaths, which they are currently blind to. > > The previous OpenSSL patch was apparently not acceptable to them. I hope some > consideration has been made for this patch. > > Thanks, > Lee > > On 06/05/2015 09:11 AM, Long, Qin wrote: >> Copy that. Thanks biesheuvel. >> I will double-check the GCC building. >> >> >> Best Regards & Thanks, >> LONG, Qin >> >> -----Original Message----- >> From: Ard Biesheuvel [mailto:ard.biesheu...@linaro.org] >> Sent: Friday, June 5, 2015 5:20 PM >> To: edk2-devel@lists.sourceforge.net >> Subject: Re: [edk2] [patch 3/3] [CryptoPkg] Updates some support > header files and wrapper files to support openssl-1.0.2a build, and correct > some openssl API usages when handling ASN.1 en/decoding. >> >> Hello Long Qin, >> >> This patch breaks the build on GCC due to UINT8* variables being > passed as 'const unsigned char*' parameters. >> Please see below. >> >> On 5 June 2015 at 03:06, qlong <qin.l...@intel.com> wrote: >>> Contributed-under: TianoCore Contribution Agreement 1.0 >>> Signed-off-by: Long Qin <qin.l...@intel.com> >>> Signed-off-by: qlong <qin.l...@intel.com> >>> --- >>> CryptoPkg/Include/OpenSslSupport.h | 8 +++++++- >>> CryptoPkg/Include/memory.h | 16 > ++++++++++++++++ >>> CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c | 6 ++++-- >>> CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 10 +++++----- >>> CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 9 +++++---- >>> CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 10 +++++++--- >>> CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 6 ++++-- >>> 7 files changed, 48 insertions(+), 17 deletions(-) create mode >>> 100644 CryptoPkg/Include/memory.h >>> >> [...] >>> diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c >>> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c >>> index 4ce2b06..9ace5e6 100644 >>> --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c >>> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c >>> @@ -9,7 +9,7 @@ >>> AuthenticodeVerify() will get PE/COFF Authenticode and will do > basic check for >>> data structure. >>> >>> -Copyright (c) 2011 - 2014, Intel Corporation. All rights >>> reserved.<BR> >>> +Copyright (c) 2011 - 2015, Intel Corporation. All rights >>> +reserved.<BR> >>> This program and the accompanying materials are licensed and made >>> available under the terms and conditions of the BSD License which >>> accompanies this distribution. The full text of the license may be >>> found at @@ -72,6 +72,7 @@ AuthenticodeVerify ( { >>> BOOLEAN Status; >>> PKCS7 *Pkcs7; >>> + UINT8 *Temp; >> >> CONST UINT8 *Temp; >> >>> CONST UINT8 *OrigAuthData; >>> UINT8 *SpcIndirectDataContent; >>> UINT8 Asn1Byte; >>> @@ -96,7 +97,8 @@ AuthenticodeVerify ( >>> // >>> // Retrieve & Parse PKCS#7 Data (DER encoding) from Authenticode > Signature >>> // >>> - Pkcs7 = d2i_PKCS7 (NULL, &AuthData, (int)DataSize); >>> + Temp = (UINT8 *)AuthData; >>> + Pkcs7 = d2i_PKCS7 (NULL, &Temp, (int)DataSize); >>> if (Pkcs7 == NULL) { >>> goto _Exit; >>> } >> >> [...] >> >>> diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c >>> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c >>> index a9665d5..06e4bb2 100644 >>> --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c >>> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c >> [...] >>> @@ -618,7 +618,8 @@ Pkcs7Verify ( >>> // >>> // Read DER-encoded root certificate and Construct X509 Certificate >>> // >>> - Cert = d2i_X509 (NULL, &TrustedCert, (long) CertLength); >>> + Temp = (UINT8 *)TrustedCert; >>> + Cert = d2i_X509 (NULL, &Temp, (long) CertLength); >> >> Same here: temp should be declared as CONST UINT8* >> >>> if (Cert == NULL) { >>> goto _Exit; >>> } >> [...] >>> diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c >>> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c >>> index e4b5a84..7456755 100644 >>> --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c >>> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c >> [...] >>> @@ -441,6 +441,7 @@ TimestampTokenVerify ( >>> CONST UINT8 *TokenTemp; >>> PKCS7 *Pkcs7; >>> X509 *Cert; >>> + UINT8 *CertTemp; >> >> Same here >> >>> X509_STORE *CertStore; >>> BIO *OutBio; >>> UINT8 *TstData; >>> @@ -490,7 +491,8 @@ TimestampTokenVerify ( >>> // >>> // Read the trusted TSA certificate (DER-encoded), and Construct > X509 Certificate. >>> // >>> - Cert = d2i_X509 (NULL, &TsaCert, (long) CertSize); >>> + CertTemp = (UINT8 *)TsaCert; >>> + Cert = d2i_X509 (NULL, &CertTemp, (long) CertSize); >>> if (Cert == NULL) { >>> goto _Exit; >>> } >> [...] >>> diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c >>> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c >>> index 29efc42..66f79da 100644 >>> --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c >>> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c >>> @@ -1,7 +1,7 @@ >>> /** @file >>> X.509 Certificate Handler Wrapper Implementation over OpenSSL. >>> >>> -Copyright (c) 2010 - 2014, Intel Corporation. All rights >>> reserved.<BR> >>> +Copyright (c) 2010 - 2015, Intel Corporation. All rights >>> +reserved.<BR> >>> This program and the accompanying materials are licensed and made >>> available under the terms and conditions of the BSD License which >>> accompanies this distribution. The full text of the license may be >>> found at @@ -39,6 +39,7 @@ X509ConstructCertificate ( >>> ) >>> { >>> X509 *X509Cert; >>> + UINT8 *Temp; >> >> ... and here >> >>> >>> // >>> // Check input parameters. >>> @@ -50,7 +51,8 @@ X509ConstructCertificate ( >>> // >>> // Read DER-encoded X509 Certificate and Construct X509 object. >>> // >>> - X509Cert = d2i_X509 (NULL, &Cert, (long) CertSize); >>> + Temp = (UINT8 *)Cert; >>> + X509Cert = d2i_X509 (NULL, &Temp, (long) CertSize); >>> if (X509Cert == NULL) { >>> return FALSE; >>> } >> >> >> Thanks, >> Ard. >> >> > ------------------------------------------------------------------------------ >> _______________________________________________ >> edk2-devel mailing list >> edk2-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/edk2-devel >> >> > ------------------------------------------------------------------------------ >> _______________________________________________ >> edk2-devel mailing list >> edk2-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/edk2-devel >> > > > ------------------------------------------------------------------------------ > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/edk2-devel > > ------------------------------------------------------------------------------ > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/edk2-devel ------------------------------------------------------------------------------ _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
